Our recent feature on the growing vulnerability of passwords chronicled the myriad ways crackers extract clues used to guess other people's login credentials. Add to that list a password reminder feature built in to recent versions of Microsoft's Windows operating system.

It turns out the password clues for Windows 7 and 8 are stored in the OS registry in a scrambled format that can be easily converted into human-readable form. That information would undoubtedly be useful to hackers who intercept a cryptographic hash of a targeted computer, but are unable to crack it. Jonathan Claudius, the SpiderLabs vulnerability researcher who documented the new Windows behavior, has written a script that automates the attack and added it to Metasploit, an open-source toolkit popular among whitehat and blackhat hackers alike.

The clue is added to the OS registry when users configure a Windows account to provide a hint about the password needed to access it. When he first saw the long string of letters and numbers that stored the hint, he thought it had been encrypted. Upon further examination, he learned that an eight-line Ruby script quickly decoded the text chunks.

"Although this stuff looked a bit unreadable on the surface we can now see that it can clearly be decoded and could be used by tools that extract the information from the SAM," he wrote, referring to the "security accounts manager" section of the registry. "This seems like it would be very helpful for penetration testers by giving them more insight into what the user's password might be, so I decided to take it one step further."

The hints are available to anyone who has physical access to a targeted PC, as Microsoft makes clear during the configuration or modification of a Windows account. But until now, those hints provided no help to hackers who use a drive-by website exploit or other similar attack to extract only the underlying password hashes. And that's where techniques like these come in. By revealing the password hint the user selected when creating the account, it could provide valuable clues such as "My favorite color" or "My first car" that make all the difference.

Promoted Comments

I don't think I've ever seen so many posters commenting on an article that they haven't understood! People, this isn't about having physical access to the computer. It's about having REMOTE access to the password hint in order to more easily effect a REMOTE login. It's a vulnerability that should be fixed.

Here's the thing - in order for a "password hint" to be remotely problematic, a person would have to read it and then sit there and try to guess your password. They could do this in offline mode, but they sure aren't going to have the man power to do this for any widespread attack and they aren't going to be able to do it willy-nilly (random people) - because by the time they're doing that, they're scraping, which means they're using something automated.

That automated process isn't going to say "Favorite car? OK, I have a database of cars here to try against" - they're just not that sophisticated in this day and age because that requires a level of targeted intelligence and also classifications of keywords that would match together based upon these password hints.

So in short, it's not a problem for wide-spead attacks because the hints don't mean anything to a computer trying to crack passwords.

And it most likely won't mean anything to a person trying to "one-up" someone because even with it, they'd have to start guessing manually and that's a really slow process. Add in that if a person is that motivated to get this data, they've already: Decrypted and/or accessed the file system in question and they most likely already know a lot of information about the subject which would have likely lead their quest to password guesses down a narrowed path anyway.

Thus, the target area is very very narrow by which this causes any sort of "harm".

First off, I'm extremely skeptical that those hints would provide any useful information for cracking a password that wasn't already vulnerable to a simple dictionary attack.

Second off I'm assuming these keys are under HKLM, so the would be attacker needs admin access to the machine in question before they can access to the machine in question. I don't believe windows saves password hints for domain credentials (correct me if I'm wrong here Dan.) So in other words this is of questionable use for compromising a machine that the attacker already has full admin access to.

It's easier and quicker to just download Trinity Rescue Kit. It quickly removes the password from a user's account. I've found it MUCH easier to unlock Windows 7 machines than it was to unlock Win XP machines.

I don't think I've ever seen so many posters commenting on an article that they haven't understood! People, this isn't about having physical access to the computer. It's about having REMOTE access to the password hint in order to more easily effect a REMOTE login. It's a vulnerability that should be fixed.

I don't understand: the news here is that they found the location of the hints, that they're able to unscramble them, or access remotely? Because if it is physical access is useless for people with hashes, and it's obvious that windows engineers can't completely obscure it, as it should be accessible without password as a plaintext. They just obscured it by making it a little difficult...

If Microsoft didn't consider the hint sensitive, why do you recon engineers went through the trouble of obscuring it in the registry?

To make it difficult enough that ordinary people or poor programmers don't start messing with it?

I mean, the Frequently Used Programs list is also encyphered ('encrypted' is too strong a word to use), but it has nothing to do with security - it's only to discourage the average registry 'power user' or hack programmer from editing the list. If you know the cyper and the format, you could go right ahead and edit it. Jump Lists are another example.

Let's do it another way: if Microsoft felt it was sensitive, why didn't they encrypt it?

hux wrote:

I don't think I've ever seen so many posters commenting on an article that they haven't understood! People, this isn't about having physical access to the computer. It's about having REMOTE access to the password hint in order to more easily effect a REMOTE login. It's a vulnerability that should be fixed.

Or... not.

Okay, the hint is stored in the registry, right? So that means you have to get the user to run your script. Which means they're already logged in, so why not do something more productive like, say, a keyboard logger, which has the added advantage of being able to get the password without guesswork?

If this is all there is to it, then it seems like this is the equivilent of those 'security flaws' that start off as 'first you log in as an administrator'...

Making guesses based on vague hints is useless. "My favourite animal"... Well, I ran all the animals in the universe against your username already. Nah, I didn't know... they simply were in the dictionaries I use...

I don't think I've ever seen so many posters commenting on an article that they haven't understood! People, this isn't about having physical access to the computer. It's about having REMOTE access to the password hint in order to more easily effect a REMOTE login. It's a vulnerability that should be fixed.

dangoodin wrote:

Emon wrote:

Uh, if you have the hash, you don't need control over the PC to crack it. You can do it on any machine, anywhere. You can load it into a rainbow table and be done with it.

As to why they obscured it, you've got me. I don't even know how it was obscured. Maybe someone was being paranoid. This is really not a concern given that someone already has physical access.

Sigh. For the last time, having the hash in no way means the attacker already has physical access.

Really? Here is the post from SpiderLabs that you mention. It is quite clear about the need for SYSTEM access to the registry. This means remote power user or better access with Remote Registry service enabled, local system access, or access to the filesystem. Alternately, similar SYSTEM access via a different known exploit will work, but again, by that time, you have SYSTEM level access.

It was pretty unethical to promote a comment which furthers FUD and falsely bolsters the claim that this is a remote exploit that is unstoppable. The average home DSL router stops this in it's tracks, as does Windows Firewall along with proper security updates.

As far as the remote usage of Meterpreter (Metasploit), by the time you reach a level of access where you can strip the hashes, you can do more useful things like add a new user and enable RDP.

None of this is anywhere near the Windows NT 4.0 (or Windows 2000/2003 legacy support for) access to NTLM hashes anonymously over a network.

All of the confusion would have been avoided if you had taken 5 seconds to link straight to the source from which you ripped the image at the top of the article.

But until now, those hints provided no help to hackers who use a drive-by website exploit or other similar attack to extract only the underlying password hashes. And that's where techniques like these come in.

So in order to get the password hint I have to successfully exploit the box; which would then aid me (questionably) in successfully exploiting the box. *face-palm*

This is so yesterday. There is a hundred ways to get the actual password with less effort, or better yet delete it. You guys may think you are secure, but I am here to tell you, there is nothing you can do that can't be undone. Password cracking is one of the oldest and easiest hacks to do in Windows OS. Win 8 now makes it easy to get you email password. Mac os passwords are even easier to crack.

Security ha, this is funny. none of us are safe. The will fix it on one of the "Patch Tuesdays".

This is so yesterday. There is a hundred ways to get the actual password with less effort, or better yet delete it. You guys may think you are secure, but I am here to tell you, there is nothing you can do that can't be undone. Password cracking is one of the oldest and easiest hacks to do in Windows OS. Win 8 now makes it easy to get you email password. Mac os passwords are even easier to crack.

Security ha, this is funny. none of us are safe. The will fix it on one of the "Patch Tuesdays".

Red Hat Enterprise Linux is the fastest with local (or VM console) access. Reboot to runlevel 1 (safemode), reset root password. Done. It doesn't even require a token like a password reset USB key or similar.

Really? Here is the post from SpiderLabs that you mention. It is quite clear about the need for SYSTEM access to the registry. This means remote power user or better access with Remote Registry service enabled, local system access, or access to the filesystem. Alternately, similar SYSTEM access via a different known exploit will work, but again, by that time, you have SYSTEM level access.

Dammit, returned to post basically this. *shakes fist*

To add some context, SYSTEM is basically the superuser (su) of the Windows world. If someone has SYSTEM access, then there's no way they're going to be screwing around with password hints.

I don't think I've ever seen so many posters commenting on an article that they haven't understood! People, this isn't about having physical access to the computer. It's about having REMOTE access to the password hint in order to more easily effect a REMOTE login. It's a vulnerability that should be fixed.

I think I have a pretty good understanding of the subject mater of the article and it doesn't explain how A) you pull of this exploit without admin access to the machine or B) how once you have hint how exactly could you use it in an attack that isn't a subset of a simple dictionary attack?

Also, just claiming that people you disagree with don't understand something isn't the best way to start an intelligent discussion. Mindlessly agreeing with the author of an article is however a good way to get your comment marked as an "Editor's Pick"

This is so yesterday. There is a hundred ways to get the actual password with less effort, or better yet delete it. You guys may think you are secure, but I am here to tell you, there is nothing you can do that can't be undone. Password cracking is one of the oldest and easiest hacks to do in Windows OS. Win 8 now makes it easy to get you email password. Mac os passwords are even easier to crack.

Security ha, this is funny. none of us are safe. The will fix it on one of the "Patch Tuesdays".

Contrary to popular opinion, sufficiently long passwords cannot be reliably reversed using rainbow tables. A 20 character alphanumeric password would require a table on the order of exabytes to reverse. Just clearing the password won't give you access to BitLocker encrypted files.

This particular vulnerability doesn't worry me too much. A password that can be guessed from the hint is almost certainly simple enough that a standard attack could reverse it anyways and vice versa. Of course, Microsoft could avoid the problem entirely if they upgraded to a modern hash function and starting using a unique salt.

But until now, those hints provided no help to hackers who use a drive-by website exploit or other similar attack to extract only the underlying password hashes. And that's where techniques like these come in.

So in order to get the password hint I have to successfully exploit the box; which would then aid me (questionably) in successfully exploiting the box. *face-palm*

Even with admin access, you need a user's password to access his/her encrypted files.

I don't think I've ever seen so many posters commenting on an article that they haven't understood! People, this isn't about having physical access to the computer. It's about having REMOTE access to the password hint in order to more easily effect a REMOTE login. It's a vulnerability that should be fixed.

I think some people are missing the point, but not in the way that you expect. This is what I gathered from the article:

1. The remote user must have access to the registry hives. This means the system must already be compromised. You can't access the registry as a guest. This must be gathered via an account that has access to the SAM hive. If you've ever popped into the registry as a non Administrative user you will be prevented from access the SAM. I believe the the SAM is unloadable on another machine. 2. You have to have the hash. This will require LAN access. This is a big deal because now you are open to MITM attacks for all local network accesses as well as all webpages. This is a bigger problem. Obviously mitigation at this point would be difficult.

In a targetted attack, I can see how a bad password and the hint would be devastating. On the other hand, the requirement to get that information have already been elevated above where just having account access is severe breach. Being at this point is already a severe breach.

But until now, those hints provided no help to hackers who use a drive-by website exploit or other similar attack to extract only the underlying password hashes. And that's where techniques like these come in.

So in order to get the password hint I have to successfully exploit the box; which would then aid me (questionably) in successfully exploiting the box. *face-palm*

Even with admin access, you need a user's password to access his/her encrypted files.

Yes, but by that point you can just install a key logger that hooks into msgina.dll or a script which copies all of their encrypted files to a non-encrypted folder. You do not in fact need their password.

But until now, those hints provided no help to hackers who use a drive-by website exploit or other similar attack to extract only the underlying password hashes. And that's where techniques like these come in.

So in order to get the password hint I have to successfully exploit the box; which would then aid me (questionably) in successfully exploiting the box. *face-palm*

Even with admin access, you need a user's password to access his/her encrypted files.

Not really sure what encrypted files you are referring to but it doesn't really matter. If I have admin access to your machine the game is over. Key loggers, video buffer scrappers, file system filter drivers or simply changing your password and logging in as you; the list of evil things I can do is endless. Anything I want, I will get.

Who cares about this? The password hints are visible in plain text from the log in screen. That's kind of the point, it's a hint. Duh.

Keep in mind that sometimes hackers have access to your Windows login hash but don't have control over your machine. You did read the article, yes?

I did read the article, but I don't think I read how a person or program can have access to your password hash, password hint, and not have control over your machine.

To be honest, this article is pretty sparse. It doesn't contain much technical detail, doesn't cite any sources, and left me googling for someone else to tell me what the real issue is. Once you read the post on Spider Labs' blog, you learn it requires the SYSTEM account (mentioned by others here before me) to access it which seems to negate your statement. Am I misunderstanding?

My ignorant guess would be it helps those who already know you. Let's say the password is given away in the hint, then you're in trouble if someone can access the computer which if you're behind a firewall or NAT'd behind a router, cuts down the number of possible attackers by quite a few. On the other hand, the password may reveal it's something that could be semi-publicly known (color, car, birth date, etc). What the article still doesn't explain is how a "drive-by website exploit" served out from a server across the world or even in the same coffee shop can use this personal information? The only thing my feeble brain is coming up with is if it's an extremely targeted attack like flame or stuxnet where staying hidden was high priority, and yet I'm still having trouble piecing together what that enable that already hasn't been enabled by compromising the SYSTEM account to begin with.

Am I missing something obvious? I feel like I am, but frankly I can't tell what it is.

First off, I'm extremely skeptical that those hints would provide any useful information for cracking a password that wasn't already vulnerable to a simple dictionary attack.

Second off I'm assuming these keys are under HKLM, so the would be attacker needs admin access to the machine in question before they can access to the machine in question. I don't believe windows saves password hints for domain credentials (correct me if I'm wrong here Dan.) So in other words this is of questionable use for compromising a machine that the attacker already has full admin access to.

Keys under HKLM can be read by a non elevated account. They just can't be written to. If only admin elevated processes could read from HKLM, little would work right on the PC.

Surely the *entire point* of password hints is to help people who do not know the password find out what it is?

It would be pretty damn useless if you had to know the password to find out what the hint is. And if your hint allows a stranger to guess the password, then that's your fault for picking a bad hint... or for using them at all.

I honestly wouldn't worry about this. The trend for hackers seems to be to go after large databases of usernames and passwords these days and trying make a buck off them. They don't target YOU personally unless you've done something to offend them or are a high profile target. If you fall into one of those two categories, chances are you're already doing something about your security anyway!

Who cares about this? The password hints are visible in plain text from the log in screen. That's kind of the point, it's a hint. Duh.

Keep in mind that sometimes hackers have access to your Windows login hash but don't have control over your machine. You did read the article, yes?

But what else can they do? A password hint has to be easily available to the system or else it can't be presented.

It is true that windows machines are supposed to have host-specific crypto keys that can help a little with this sort of thing; but I don't think these keys are all that well protected (for much the same reason that password hints can't be protected properly).

First off, I'm extremely skeptical that those hints would provide any useful information for cracking a password that wasn't already vulnerable to a simple dictionary attack.

Second off I'm assuming these keys are under HKLM, so the would be attacker needs admin access to the machine in question before they can access to the machine in question. I don't believe windows saves password hints for domain credentials (correct me if I'm wrong here Dan.) So in other words this is of questionable use for compromising a machine that the attacker already has full admin access to.

Keys under HKLM can be read by a non elevated account. They just can't be written to. If only admin elevated processes could read from HKLM, little would work right on the PC.

I honestly wouldn't worry about this. The trend for hackers seems to be to go after large databases of usernames and passwords these days and trying make a buck off them. They don't target YOU personally unless you've done something to offend them or are a high profile target. If you fall into one of those two categories, chances are you're already doing something about your security anyway!

Exactly... with the endless amount of remote unauthenticated user exploits still coming in update patches, you would be pretty naive to think on a net connected machine you are beyond reproach if someone hardcore really wanted to get in. If a hacker can compromise a million credit cards in the same time they can break into your Arstechnica account details, unless you really ticked them off, they are going for the credit cards.